[tls] General compatibility improvements (#3596)

* wip * subjectaltname * more progress * bindings * fmt * getCert/getPeerCertificate * fix checkServerIdentity * fix checkServerIdentity * add a lot of TLSSocket functions * getEphemeralKeyInfo fix and comment * add alternative for getEphemeralKeyInfo * add get session and set session * fix isSessionReused * get back the raw data for MSSQL * fixeup * fixup getSession + tests * fix doc + fmt * getFinished/getPeerFinished * codegen * fixup * revert webkit * more fixes * ssl helper + revert test oops * asserts
author: Ciro Spaciari <ciro.spaciari@gmail.com> 2023-07-17 23:39:09 -0300
committer: GitHub <noreply@github.com> 2023-07-17 19:39:09 -0700
commit: 13b54fbdb8cc36bbe027238654360f159ecaefbb (patch)
tree: 9f905b3520a01ba64cf10df0eefe2fe35c196648 /test/js/node
parent: 9273e29f0eba9c9d185a602d30def5a6b981ad55 (diff)
download: bun-13b54fbdb8cc36bbe027238654360f159ecaefbb.tar.gz
bun-13b54fbdb8cc36bbe027238654360f159ecaefbb.tar.zst
bun-13b54fbdb8cc36bbe027238654360f159ecaefbb.zip
2 files changed, 167 insertions, 1 deletions
diff --git a/test/js/node/tls/node-tls-connect.test.ts b/test/js/node/tls/node-tls-connect.test.ts
index 791dba88a..716dac3c6 100644
--- a/test/js/node/tls/node-tls-connect.test.ts
+++ b/test/js/node/tls/node-tls-connect.test.ts
@@ -30,3 +30,94 @@ it("should work with alpnProtocols", done => {
     done(err);
   }
 });
+
+it("should have peer certificate", async () => {
+  const socket = (await new Promise((resolve, reject) => {
+    const instance = connect(
+      {
+        ALPNProtocols: ["http/1.1"],
+        host: "bun.sh",
+        servername: "bun.sh",
+        port: 443,
+        rejectUnauthorized: false,
+        requestCert: true,
+      },
+      function () {
+        resolve(instance);
+      },
+    ).on("error", reject);
+  })) as TLSSocket;
+
+  try {
+    expect(socket).toBeDefined();
+    const cert = socket.getPeerCertificate();
+    expect(cert).toBeDefined();
+    expect(cert.subject).toBeDefined();
+    expect(cert.subject.CN).toBe("bun.sh");
+    expect(cert.issuer).toBeDefined();
+    expect(cert.issuer.C).toBe("US");
+    expect(cert.issuer.O).toBe("Google Trust Services LLC");
+    expect(cert.issuer.CN).toBe("GTS CA 1P5");
+    expect(cert.subjectaltname).toBe("DNS:bun.sh, DNS:*.bun.sh");
+    expect(cert.infoAccess).toBeDefined();
+
+    const infoAccess = cert.infoAccess as NodeJS.Dict<string[]>;
+    expect(infoAccess["OCSP - URI"]).toBeDefined();
+    expect(infoAccess["CA Issuers - URI"]).toBeDefined();
+    expect(cert.ca).toBeFalse();
+    expect(cert.bits).toBe(2048);
+    expect(cert.modulus).toBe(
+      "A9F58B9925E08DD3393E4A5DFDBFD249A21C33AF0F38624FAF20D39EB3AC78400789CF3FCBE8C3B18B1F03B3C96B2455D88A60A8D7B2112D35159DB39A592624545CE52E6184D0504D59E6C81DD1025526DEBA547D89A47F16830AC55929C80888F65066D29517905DB1C7E8446580DC439D715C4452D03A97BB0DBC82970C8A3F7E8ABADBBA30FBF6475E2D1783793A4AC60BC57EF5E945C976CE54EECB4A3DA7920AC5C711D5FC8D6A235EFC7FA4024F3930EDDDD1680E6AEA9BD50C89394018761187B4838B07D70BF10E28E4A62F8E2FC4998BC3B9189CD50F61693D79FF761E2D4DEB3998578A6D6015926F60A4172125255FAD01485513DC3C1AE082EF",
+    );
+    expect(cert.exponent).toBe("0x10001");
+    expect(cert.pubkey).toBeInstanceOf(Buffer);
+    expect(cert.valid_from).toBe("Jun  1 01:36:52 2023 GMT"); // yes this space is intentional
+    expect(cert.valid_to).toBe("Aug 30 01:36:51 2023 GMT");
+    expect(cert.fingerprint).toBe("41:66:63:69:DC:31:95:B6:89:7C:54:72:80:19:EA:58:EE:26:FC:FA");
+    expect(cert.fingerprint256).toBe(
+      "51:5D:10:ED:F9:F1:71:9C:03:EB:1D:17:37:2E:B0:CE:CA:8E:E7:E2:D7:D9:F0:9F:25:8D:4C:30:61:FE:86:3A",
+    );
+    expect(cert.fingerprint512).toBe(
+      "61:C6:22:B6:19:B6:28:EC:5E:B1:B5:C7:A2:45:3B:A6:BA:D6:1D:A6:96:28:07:47:04:3B:04:3A:2D:A1:D7:8E:C4:55:83:B9:11:7F:6C:3B:EB:5A:66:C5:CC:E0:44:E8:4F:F1:6C:16:14:03:5B:71:76:F9:42:0C:04:5F:C0:F1",
+    );
+    expect(cert.serialNumber).toBe("03E071FE809E66081139F0BDD02AC346");
+    expect(cert.raw).toBeInstanceOf(Buffer);
+  } finally {
+    socket.end();
+  }
+});
+
+it("getCipher, getProtocol, getEphemeralKeyInfo, getSharedSigalgs, getSession, exportKeyingMaterial and isSessionReused should work", async () => {
+  const socket = (await new Promise((resolve, reject) => {
+    connect({
+      ALPNProtocols: ["http/1.1"],
+      host: "bun.sh",
+      servername: "bun.sh",
+      port: 443,
+      rejectUnauthorized: false,
+      requestCert: true,
+    })
+      .on("secure", resolve)
+      .on("error", reject);
+  })) as TLSSocket;
+
+  try {
+    expect(socket.getCipher()).toMatchObject({
+      name: "TLS_AES_128_GCM_SHA256",
+      standardName: "TLS_AES_128_GCM_SHA256",
+      version: "TLSv1/SSLv3",
+    });
+    expect(socket.getProtocol()).toBe("TLSv1.3");
+    expect(typeof socket.getEphemeralKeyInfo()).toBe("object");
+    expect(socket.getSharedSigalgs()).toBeInstanceOf(Array);
+    expect(socket.getSession()).toBeInstanceOf(Buffer);
+    expect(socket.exportKeyingMaterial(512, "client finished")).toBeInstanceOf(Buffer);
+    expect(socket.isSessionReused()).toBe(false);
+
+    // BoringSSL does not support these methods for >= TLSv1.3
+    expect(socket.getFinished()).toBeUndefined();
+    expect(socket.getPeerFinished()).toBeUndefined();
+  } finally {
+    socket.end();
+  }
+});
diff --git a/test/js/node/tls/node-tls-server.test.ts b/test/js/node/tls/node-tls-server.test.ts
index 2a6101b9f..051458488 100644
--- a/test/js/node/tls/node-tls-server.test.ts
+++ b/test/js/node/tls/node-tls-server.test.ts
@@ -1,4 +1,5 @@
-import { createServer, Server, TLSSocket } from "tls";
+import { connect, createServer, Server, TLSSocket } from "tls";
+import type { PeerCertificate } from "tls";
 import { realpathSync, readFileSync } from "fs";
 import { tmpdir } from "os";
 import { join } from "path";
@@ -287,6 +288,80 @@ describe("tls.createServer listen", () => {
   });
 });
 
+describe("tls.createServer", () => {
+  it("should work with getCertificate", done => {
+    let timeout: Timer;
+    let client: TLSSocket | null = null;
+    const server: Server = createServer(COMMON_CERT, socket => {
+      socket.on("secure", () => {
+        try {
+          expect(socket).toBeDefined();
+          const cert = socket.getCertificate() as PeerCertificate;
+          expect(cert).toBeDefined();
+          expect(cert.subject).toBeDefined();
+          expect(cert.subject).toMatchObject({
+            C: "AU",
+            ST: "Some-State",
+            O: "Internet Widgits Pty Ltd",
+          });
+
+          expect(cert.issuer).toBeDefined();
+          expect(cert.issuer).toMatchObject({
+            C: "AU",
+            ST: "Some-State",
+            O: "Internet Widgits Pty Ltd",
+          });
+
+          expect(cert.ca).toBeTrue();
+          expect(cert.bits).toBe(2048);
+          expect(cert.modulus).toBe(
+            "EE2EC82047480938924D5C7E99AEB11F13AD71B77AC065B79E4C650A427552E57C366639A2F32C1A718384926D510DA3E6283905C2547F7B5ECEA08D5B8B4A9D23A048849F1002AFA67D813EF685AB7CB1D988F3D2BBAF7062A90CC6415E607F000B46C8DFD4157CE4ADC7E9A662C72536816061BA2A7994E3780F9120F2E22C38E8224550EBA9739D40148CFB46C13B99B4F5A6508CF1EEF981FA9A6529F693E5A6CBEF27D471B2607855212455BCFAA44BB8152D254475379A52D28FD55C7FF35F3F1C35A4DE822F0D5588F42147EF77A5371064307E7302B48D2014DE85D9DE87201EBE363845A0BF90AF2BB253B77B812D27D4A7038B303A30A2A8021013",
+          );
+          expect(cert.exponent).toBe("0x10001");
+          expect(cert.pubkey).toBeInstanceOf(Buffer);
+          // yes these spaces are intentional
+          expect(cert.valid_from).toBe("Feb  3 14:49:35 2019 GMT");
+          expect(cert.valid_to).toBe("Feb  3 14:49:35 2020 GMT");
+          expect(cert.fingerprint).toBe("48:5F:4B:DB:FD:56:50:32:F0:27:84:3C:3F:B9:6C:DB:13:42:D2:D4");
+          expect(cert.fingerprint256).toBe(
+            "40:F9:8C:B8:9D:3C:0D:93:09:C4:A7:96:B8:A4:69:03:6C:DB:1B:83:C9:0E:76:AE:4A:F4:16:1A:A6:13:50:B2",
+          );
+          expect(cert.fingerprint512).toBe(
+            "98:56:9F:C0:A7:21:AD:BE:F3:11:AD:78:17:61:7C:36:AE:85:AB:AC:9E:1E:BF:AA:F2:92:0D:8B:36:50:07:CF:7B:C3:16:19:0F:1F:B9:09:C9:45:9D:EC:C9:44:66:72:EE:EA:CF:74:23:13:B5:FB:E1:88:52:51:D2:C6:B6:4D",
+          );
+          expect(cert.serialNumber).toBe("A2DD4153F2F748E3");
+
+          expect(cert.raw).toBeInstanceOf(Buffer);
+          client?.end();
+          server.close();
+          done();
+        } catch (err) {
+          client?.end();
+          server.close();
+          done(err);
+        }
+      });
+    });
+
+    const closeAndFail = (err: any) => {
+      clearTimeout(timeout);
+      server.close();
+      client?.end();
+      done(err || "Timeout");
+    };
+    server.on("error", closeAndFail);
+    timeout = setTimeout(closeAndFail, 1000);
+
+    server.listen(0, () => {
+      const address = server.address() as AddressInfo;
+      client = connect({
+        port: address.port,
+        host: address.address,
+      });
+    });
+  });
+});
+
 describe("tls.createServer events", () => {
   it("should receive data", done => {
     const { mustCall, mustNotCall } = createCallCheckCtx(done);
author	Ciro Spaciari <ciro.spaciari@gmail.com>	2023-07-17 23:39:09 -0300
committer	GitHub <noreply@github.com>	2023-07-17 19:39:09 -0700
commit	13b54fbdb8cc36bbe027238654360f159ecaefbb (patch)
tree	9f905b3520a01ba64cf10df0eefe2fe35c196648 /test/js/node
parent	9273e29f0eba9c9d185a602d30def5a6b981ad55 (diff)
download	bun-13b54fbdb8cc36bbe027238654360f159ecaefbb.tar.gz bun-13b54fbdb8cc36bbe027238654360f159ecaefbb.tar.zst bun-13b54fbdb8cc36bbe027238654360f159ecaefbb.zip